By now, it’s no secret that cybersecurity needs to be top of mind for every executive and board member in any company. Unfortunately, what tends to be more common than security-savvy executives and directors, are executives and directors who aren’t as on top of their cybersecurity game as they could be, making them vulnerable to cyberattacks. Here are five ways senior executives and board members can drive a culture of cybersecurity and resilience in their organizations from the top down.
If your company data is held to ransom by criminals, how much would it cost? And, what about the damage to your reputation, with business partners, customers and throughout your supply chain? What if you suffered a data breach and confidential information was publicly released relating to your company or customers? As a senior executive or board member, you have a duty to set an example for the rest of your organization to follow, making clear that cyber security is a top priority. A single cyberattack or incident could destroy your company overnight.
Cybercrime is all-pervasive, and it's big business. Ransomware, phishing, and business email compromise (BEC) are some of the most common forms of attack, targeting executives and employee inboxes. And often there is little or no risk for offenders if they are in a foreign jurisdiction for example. Here are five simple tips to consider.
1) Be aware of email security threats
Spear phishing, phishing, and business email compromise are fraudulent methods of obtaining sensitive and confidential information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons. Phishing is typically carried out by email spoofing or instant messaging, and it often directs users to enter details into a fake website whose look and feel are almost identical to the legitimate one. The term phish is derived from fishing: it’s like bait used to catch fish. You can find examples of common phishing attacks on our blog.
2) Protect your data from phishing attacks & ransomware
Hackers may try to scam you by posing as a legitimate organization, such as your bank or credit card company, or a major tech vendor like Microsoft or Drop Box. Phishing attacks are most commonly executed via email, with 90% of attacks delivered that way. Ensure that through prominent messaging and training for your frontline, that they don’t click links in emails that come from untrusted sources—no matter how good the emails look. Another common email threat is ransomware: when hackers encrypt important data on your company servers and devices, and demand payment to get it back. If your company is targeted with ransomware, don’t pay up; instead, reach out to your trusted email security partners and contact authorities immediately.
3) Back up your data
Before you put your data at risk from a ransomware attack, make sure that it’s backed up. There are several ways to do so depending on your company’s size and budget. One of them is to outsource to cloud-based providers such as Amazon Web Services or Microsoft Azure, which offer data backup as a service. Another is to purchase software designed specifically for companies from vendors like MailGuard. Either option can be expensive — but in some cases it might be more expensive not to act. Hackers often demand payment within one or two days; if you don’t have multiple backups stored elsewhere, you could lose everything in a matter of hours. If you think it won’t happen to you, remember that other companies like Kaseya, Toll Group and Garmin made the same mistake. It can happen to anyone.
4) Keep your devices updated
You can never have too many security updates. Most cybersecurity breaches are due to vulnerabilities that could have been mitigated with proper software updates. Make sure your devices, including your computers, phones, and connected devices like printers and other peripherals, all receive regular updates to patch any vulnerabilities. All it takes is one mistake to land a device in a hacker’s hand — it’s better to be safe than sorry! Especially if those devices are networked, they can often represent an easy back door into your network for cybercriminals. Even something as innocent as a smart kettle or fridge might be an avenue into your network and data. Use anti-virus: Even if you keep all your devices updated, there’s still a chance that hackers will get through. Anti-virus software provides an extra layer of protection against viruses and spyware. If you only do one thing from our list above, make sure you install anti-virus onto every single computer (desktop or laptop) or mobile device under your control.
5) Follow Industry Best Practices
The first step towards a culture of cybersecurity is to follow industry best practices in IT infrastructure and data management. Industry best practice starts with a zero-trust approach, assuming that your network has been breached and ensuring that they won't be able to get too far if a bad actor does gain access.
It’s also important to make sure that your organization has an incident response plan (IRP) in place, which is essentially a contract between your company and its users. If there is ever a data breach, it will be much easier to contain if you have an IRP in place. Likewise thorough business continuity planning (BCP) and disaster recovery planning (DRP) will make sure that you're ready if and when the real thing happens.
Ensure you have strong password controls too. A weak password or too many passwords are what exposes all companies to cyberattacks. Passwords should never be shared; they should always be strong passwords and changed on at least a monthly basis. You should also mandate employees using two-factor authentication or MFA. Employees should use two-factor authentication wherever possible when logging into their accounts, which makes it more difficult for hackers to access sensitive corporate data. A password management software like LastPass or similar, are a good option to consider ensuring robust passwords, providing oversight of compliance, and delivering better control and peace of mind for company leadership.
So, What's Next?
The very first thing a senior executive or board member should do is make sure they’re being informed of security incidents as they happen. This can be done through best practice email security technology like MailGuard, that filters out malicious threats before they reach your teams' inbox and provides critical reporting to your IT & infosec leaders. Your business will be instantly more secure. Whether your business is using Google Workspace, Microsoft 365, or another platform, a multi-layered approach to email security with a specialist vendor like MailGuard is vital.
Embrace your IT and security partners and ensure that your internal teams understand that cybersecurity is a top priority and that they have your full support. Get to know your IT admins and others on the front line and ensure that your executive team and board are regularly briefed on any security threats. Depending on the size and complexity of your organization, this may be best achieved with a risk management committee and framework to ensure visibility of your end-to-end exposure. With the right tech in place, alongside well thought out processes and procedures, and ultimately executed by good people, your organization will be well placed to repel and mitigate any cyber threats.
Stay ahead and stay protected, by proactively pursuing preventative measures and advocating to your team before something happens. At MailGuard, we use predictive threat detection technology to provide early warnings of inbound email threats up to 24 hours ahead of our rivals, providing the best protection for businesses. Learn more about how we do it by reaching out to my team at expert@mailguard.com.au.
What cybersecurity issues are you interested in knowing about? If you have any ideas, don’t hesitate to reach out.
Stay up-to-date with MailGuard's latest blog posts by subscribing to free updates. Subscribe to weekly updates by clicking on the button below.
